|
| 1 | +<?php |
| 2 | +namespace CHoltermann\Extrasalt; |
| 3 | + |
| 4 | +/** |
| 5 | + * This file is part of the TYPO3 CMS project. |
| 6 | + * |
| 7 | + * It is free software; you can redistribute it and/or modify it under |
| 8 | + * the terms of the GNU General Public License, either version 2 |
| 9 | + * of the License, or any later version. |
| 10 | + * |
| 11 | + * For the full copyright and license information, please read the |
| 12 | + * LICENSE.txt file that was distributed with this source code. |
| 13 | + * |
| 14 | + * The TYPO3 project - inspiring people to share! |
| 15 | + */ |
| 16 | + |
| 17 | +/** |
| 18 | + * Class that implements Blowfish salted hashing based on PHP's |
| 19 | + * crypt() function. |
| 20 | + * |
| 21 | + * Credits to http://www.techrepublic.com/blog/australian-technology/securing-passwords-with-blowfish/ |
| 22 | + * |
| 23 | + * @author Christoph Holtermann <mail@c-holtermann.net> |
| 24 | + */ |
| 25 | + |
| 26 | +class BlowfishSalt extends \TYPO3\CMS\Saltedpasswords\Salt\AbstractSalt implements \TYPO3\CMS\Saltedpasswords\Salt\SaltInterface { |
| 27 | + |
| 28 | + const identKey = "CHoltermann\Extrasalt\BlowfishSalt"; |
| 29 | + |
| 30 | + /** |
| 31 | + * Keeps a string for mapping an int to the corresponding |
| 32 | + * base 64 character. |
| 33 | + */ |
| 34 | + const ITOA64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; |
| 35 | + |
| 36 | + /** |
| 37 | + * Setting string to indicate type of hashing method (Blowfish). |
| 38 | + * |
| 39 | + * @var string |
| 40 | + */ |
| 41 | + static protected $settingBlowfish = '$2y$'; |
| 42 | + |
| 43 | + /** |
| 44 | + * Keeps length of a Blowfish salt in bytes. |
| 45 | + * |
| 46 | + * @var integer |
| 47 | + */ |
| 48 | + static protected $saltLengthBlowfish = 22; |
| 49 | + |
| 50 | + /** |
| 51 | + * Method applies settings (prefix, optional hash count, optional suffix) |
| 52 | + * to a salt. |
| 53 | + * |
| 54 | + * @param string $salt A salt to apply setting to |
| 55 | + * @return string Salt with setting |
| 56 | + */ |
| 57 | + protected function applySettingsToSalt($salt) |
| 58 | + {} |
| 59 | + |
| 60 | + /** |
| 61 | + * Generates a random base salt settings for the hash. |
| 62 | + * |
| 63 | + * @return string A string containing settings and a random salt |
| 64 | + */ |
| 65 | + protected function getGeneratedSalt() |
| 66 | + {} |
| 67 | + |
| 68 | + /** |
| 69 | + * Returns a string for mapping an int to the corresponding base 64 character. |
| 70 | + * |
| 71 | + * @return string String for mapping an int to the corresponding base 64 character |
| 72 | + */ |
| 73 | + protected function getItoa64() |
| 74 | + { |
| 75 | + return self::ITOA64; |
| 76 | + } |
| 77 | + |
| 78 | + /** |
| 79 | + * Returns setting string of Blowfish salted hashes. |
| 80 | + * |
| 81 | + * @return string Setting string of Blowfish salted hashes |
| 82 | + */ |
| 83 | + public function getSetting() { |
| 84 | + return self::$settingBlowfish; |
| 85 | + } |
| 86 | + |
| 87 | + /** |
| 88 | + * Method checks if a given plaintext password is correct by comparing it with |
| 89 | + * a given salted hashed password. |
| 90 | + * |
| 91 | + * @param string $plainPW plain-text password to compare with salted hash |
| 92 | + * @param string $saltedHashPW Salted hash to compare plain-text password with |
| 93 | + * @return boolean TRUE, if plaintext password is correct, otherwise FALSE |
| 94 | + */ |
| 95 | + public function checkPassword($plainPW, $saltedHashPW) |
| 96 | + { |
| 97 | + $isCorrect = FALSE; |
| 98 | + if ($this->isValidSalt($saltedHashPW)) { |
| 99 | + $isCorrect = crypt($plainPW, $saltedHashPW) == $saltedHashPW; |
| 100 | + } |
| 101 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt checkPassword plainPW: '.$plainPW.' saltedHashPW: '.$saltedHashPW.' ok: '.$isCorrect, $this->identKey, -1); |
| 102 | + return $isCorrect; |
| 103 | + } |
| 104 | + |
| 105 | + /** |
| 106 | + * Returns length of required salt. |
| 107 | + * |
| 108 | + * @ToDo remove debug log |
| 109 | + * @return integer Length of required salt |
| 110 | + */ |
| 111 | + public function getSaltLength() |
| 112 | + { |
| 113 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt getSaltLength: '.self::$saltLengthBlowfish, $this->identKey, -1); |
| 114 | + return self::$saltLengthBlowfish; |
| 115 | + } |
| 116 | + |
| 117 | + /** |
| 118 | + * Returns whether all prequesites for the hashing methods are matched |
| 119 | + * |
| 120 | + * @ToDo implement |
| 121 | + * @return boolean Method available |
| 122 | + */ |
| 123 | + public function isAvailable() |
| 124 | + { |
| 125 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt isAvailable', $this->identKey, -1); |
| 126 | + } |
| 127 | + |
| 128 | + /** |
| 129 | + * Method creates a salted hash for a given plaintext password |
| 130 | + * |
| 131 | + * @ToDo implement |
| 132 | + * @param string $password Plaintext password to create a salted hash from |
| 133 | + * @param string $salt Optional custom salt to use |
| 134 | + * @return string Salted hashed password |
| 135 | + */ |
| 136 | + public function getHashedPassword($password, $salt = NULL) |
| 137 | + { |
| 138 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt getHashedPassword', $this->identKey, -1); |
| 139 | + } |
| 140 | + |
| 141 | + /** |
| 142 | + * Checks whether a user's hashed password needs to be replaced with a new hash. |
| 143 | + * |
| 144 | + * This is typically called during the login process when the plain text |
| 145 | + * password is available. A new hash is needed when the desired iteration |
| 146 | + * count has changed through a change in the variable $hashCount or |
| 147 | + * HASH_COUNT or if the user's password hash was generated in an bulk update |
| 148 | + * with class ext_update. |
| 149 | + * |
| 150 | + * @Todo implement |
| 151 | + * @param string $passString Salted hash to check if it needs an update |
| 152 | + * @return boolean TRUE if salted hash needs an update, otherwise FALSE |
| 153 | + */ |
| 154 | + public function isHashUpdateNeeded($passString) |
| 155 | + { |
| 156 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt isHashUpdateNeeded', $this->identKey, -1); |
| 157 | + } |
| 158 | + |
| 159 | + /** |
| 160 | + * Method returns TRUE if hash starts with Prefix typical for Blowfish Hashes |
| 161 | + * |
| 162 | + * @param string $hash Hash to check |
| 163 | + * @return boolean TRUE if hash starts with Blowfish prefix otherwise FALSE |
| 164 | + */ |
| 165 | + protected function hashHasPrefixBlowfish($hash) |
| 166 | + { |
| 167 | + $prefixBlowfish = $this->getSetting(); |
| 168 | + if (!strncmp($hash, $prefixBlowfish, strlen($prefixBlowfish))) {return TRUE;} else {return FALSE;} |
| 169 | + } |
| 170 | + |
| 171 | + /** |
| 172 | + * Method returns cost parameter of Blowfish Hash |
| 173 | + * |
| 174 | + * @param string $hash Hash to check |
| 175 | + * @return string cost parameter of length 2 or FALSE if invalid |
| 176 | + */ |
| 177 | + protected function hashGetCostBlowfish($hash) |
| 178 | + { |
| 179 | + $costBlowfish = FALSE; |
| 180 | + $prefixBlowfish = $this->getSetting(); |
| 181 | + $costBlowfishRegion = substr($hash, strlen($prefixBlowfish)-1, 4); |
| 182 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt hashGetCostBlowfish '.$costBlowfishRegion, $this->identKey, -1); |
| 183 | + if (!strncmp('$', $costBlowfishRegion, 1) && !substr_compare($costBlowfishRegion, '$', -1, 1)) |
| 184 | + { |
| 185 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt hashGetCostBlowfish validCostRegion', $this->identKey, -1); |
| 186 | + $costBlowfish = substr($costBlowfishRegion, 1, 2); |
| 187 | + } |
| 188 | + return $costBlowfish; |
| 189 | + } |
| 190 | + |
| 191 | + /** |
| 192 | + * Method returns salt part of Blowfish Hash |
| 193 | + * |
| 194 | + * return string after prefix and cost, from position 7 to end |
| 195 | + * |
| 196 | + * @param string $hash Hash to process |
| 197 | + * @return string salt |
| 198 | + */ |
| 199 | + protected function hashGetSaltBlowfish($hash) |
| 200 | + { |
| 201 | + $prefixBlowfish = $this->getSetting(); |
| 202 | + $lengthPrefixBlowfish = strlen($prefixBlowfish); |
| 203 | + $lengthCostBlowfish = 3; |
| 204 | + $saltBlowfish = substr($hash, $lengthPrefixBlowfish+$lengthCostBlowfish); |
| 205 | + return $saltBlowfish; |
| 206 | + } |
| 207 | + |
| 208 | + /** |
| 209 | + * Method determines if a given string is a valid salt |
| 210 | + * |
| 211 | + * @ToDo implement |
| 212 | + * @param string $salt String to check |
| 213 | + * @return boolean TRUE if it's valid salt, otherwise FALSE |
| 214 | + */ |
| 215 | + public function isValidSalt($salt) |
| 216 | + { |
| 217 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt isValidSalt', $this->identKey, -1); |
| 218 | + $isValid = FALSE; |
| 219 | + $reqLenBase64 = $this->getLengthBase64FromBytes($this->getSaltLength()); |
| 220 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt isValidSalt reqLenBase64: '.$reqLenBase64, $this->identKey, -1); |
| 221 | + if (strlen($salt) >= $reqLenBase64) { |
| 222 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt isValidSalt reqLenBase64 ok', $this->identKey, -1); |
| 223 | + if ($this->hashHasPrefixBlowfish($salt)) { |
| 224 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt hashHasPrefixBlowfish ok', $this->identKey, -1); |
| 225 | + $costBlowfish = $this->hashGetCostBlowfish($salt); |
| 226 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt hashGetCostBlowfish: '.$costBlowfish, $this->identKey, -1); |
| 227 | + |
| 228 | + if ($costBlowfish) |
| 229 | + { |
| 230 | + $saltBlowfish = $this->hashGetSaltBlowfish($salt); |
| 231 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt hashGetSaltBlowfish: '.$saltBlowfish, $this->identKey, -1); |
| 232 | + $lengthSaltBlowfish = strlen($saltBlowfish); |
| 233 | + if ($lengthSaltBlowfish >= 22) |
| 234 | + { |
| 235 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt hashGetSaltBlowfish length>=22 -> ok', $this->identKey, -1); |
| 236 | + // check if salt and PW contain only valid characters |
| 237 | + if (preg_match('/^[' . preg_quote($this->getItoa64(), '/') . ']+$/', $saltBlowfish )) { |
| 238 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt preg_match ok', $this->identKey, -1); |
| 239 | + $isValid = TRUE; |
| 240 | + } |
| 241 | + } |
| 242 | + } |
| 243 | + } |
| 244 | + } |
| 245 | + |
| 246 | + return $isValid; |
| 247 | + } |
| 248 | + |
| 249 | + |
| 250 | + /** |
| 251 | + * Method determines if a given string is a valid salted hashed password. |
| 252 | + * |
| 253 | + * @param string $saltedPW String to check |
| 254 | + * @return boolean TRUE if it's valid salted hashed password, otherwise FALSE |
| 255 | + */ |
| 256 | + public function isValidSaltedPW($saltedPW) { |
| 257 | + \TYPO3\CMS\Core\Utility\GeneralUtility::devLog('BlowFishSalt isValidSaltedPW', $this->identKey, -1, array($saltedPW)); |
| 258 | + $isValid = FALSE; |
| 259 | + $isValid = !strncmp($this->getSetting(), $saltedPW, strlen($this->getSetting())) ? TRUE : FALSE; |
| 260 | + if ($isValid) { |
| 261 | + $isValid = $this->isValidSalt($saltedPW); |
| 262 | + } |
| 263 | + return $isValid; |
| 264 | + } |
| 265 | + |
| 266 | +} |
0 commit comments